Security

Last Updated: May 5, 2020

Introduction

We at Kritik carry high standards for the security of user data to ensure that all customer data are kept secure and safe. We are committed to adhering to SaaS industry guidelines and practices for maintaining data and information integrity in alignment with standards and best practices.

Organizational Security

Personnel Security

Kritik's security practices apply to all employees, independent contractors and anyone with direct access to our internal system and unescorted access to the office space at Kritik. Every employee must pass a background screening and agree to our terms of confidentiality before initial access to our internal systems. All-access shall be removed immediately upon termination of employment at Kritik.

Policies and Standards

As part of our Information Security Management System, Kritik maintains a set of 9 related policies and procedures that help ensure that our customers can rely on Kritik employees to behave ethically and to provide our services operate securely. Policy topics include but are not limited to:

Authorization/Authentication

Kritik abides by the least privilege principle; therefore, employees only have access to the data that they must handle to complete their current responsibilities in their role. When hiring an employee, Kritik grants access to a small number of internal systems; however, their direct manager or the system owner must approve any requests for additional access. For administrative access to systems containing any sensitive data, Kritik employs multi-factor authentication whenever it is possible.

Disaster Recovery and Business Continuity

Kritik has annual reviews and revisions of the business continuity and disaster recovery plans. We distribute our production operations across four separate physical locations and provide redundant power and connectivity to networks using our hosting provider services. Kritik also stores backups from our primary operating environment more than 500 kilometres away in a separate location.

Third-Party Service Providers

For certain aspects of our operations, Kritik uses third party providers, including Sendgrid, DigitalOcean, Amazon Web Services (AWS), and Intercom. We take appropriate steps to ensure that the security stance of Kritik is maintained where those organizations can have an impact on the safety of our production environment or customer data. Kritik establishes agreements with all third-party providers that require them to honour our customers ' confidentiality commitments.

We use Sendgrid for sending notifications emails and text messages to users. Their data centers are from top-notch service providers from around the world and have the Service Organization Controls (SOC2) Type 2 reports as a result of their rigorous measures to protect consumer data, including a high level of physical security protection measures. For more information, see their security page.

DigitalOcean is the platform we use for hosting data in USA and CANADA. Their data centers leverage all physical and environmental security measures to secure their infrastructure from outside threats. Their measures include but are not limited to 24/7/365 staffing with on-site physical security to protect against unauthorized entry, physical entry restrictions, and biometric readers with two-factor authentication. For more information, see their Data Security page.

AWS hosts Kritik's physical infrastructure and is explained in more detail below under Physical Security.

Kritik uses Intercom for our service support inquiries. Intercom complies with SOC2 (Type II) Trust Services Principles, the EU-US Privacy Shield, and the Cloud Security Alliance. As we do, they host their data and services on AWS. For more information, see their security page.

Security Incident Response

Kritik has documented procedures and policies for responding to security incidents, including step by step manuals that are reviewed and updated annually. Our production operations team manages all incidents, grading them according to their severity and determining the steps required to remediate.

Physical Security

Kritik hosts our infrastructure on AWS whose data centers are equipped with multiple physical barriers of access, including:

See this whitepaper for more information on AWS security processes. Kritik employees do not have physical access to any AWS data centers, servers, networking equipment, or storage. The Kritik offices are access controlled by electronic access cards.

Technical Security Measures

Data Encryption

Secure encryption is used for all Kritik data in transit over public networks, including all data transmitted between servers and Kritik clients. Only encrypted customer traffic is allowed by Kritik systems, and they support the latest recommended secure cypher suites.

Data at rest is encrypted using standard FIPS 140-2 for encryption, including but is not limited to all relational databases, backups, and file stores. Using Hardware Security Modules, keys are generated and are never stored alongside any other customer or Kritik data.

Network Security

To ensure customer data is kept separate from test and development data, Kritik divides systems into separate networks. Systems designed for developing and testing activities are hosted in a distinct segment of the network and managed in a different AWS account. Any customer data submitted to Kritik may only be stored in our production environment. Kritik limits administrative access to the production environment to support staff and to engineers with a specific business need.

Kritik severely restricts access to the production environment. Application servers are all given private, non-routable IP addresses, and most systems can only be accessed on ports 443 or 80 via dedicated load balancers.

Infrastructure

The customer data was processed and logically segregated in multi-tenant datastores. In the code of our application, strict privacy controls exist to ensure data privacy and to avoid cross-customer data access. All the data in our system is tagged by account, and each request to our system requires a context for the account. Any attempt to tamper with an open session results in all requests being immediately logged out and refused.

Secure Development Lifecycle

Safety is a critical part of the lifecycle of Kritik's software development (SDLC), and our systems are designed to follow OWASP principles. All modifications to the infrastructure or production code of Kritik shall be subject to code review. Kritik's application servers start from well-known images that the team frequently updates with the latest code and operating system patches. To check code changes before delivery, Kritik uses different testing environments, manual code reviews and automated static code analysis. We have a continuous deployment model, so our customers immediately benefit from improvements in bug fixes and upgrades. Also, our development process allows for the immediate prioritization of critical updates and remedies for vulnerability. To ensure that third-party code we rely on does not contain any known security vulnerabilities, Kritik also employs dependency vulnerability monitoring.

Logging and Monitoring

All-access to production systems is logged and monitored by the operations team at Kritik. To ensure that it meets a legitimate business need, we review and approve each request for elevated access in the production environment, and this access expires automatically. Additionally, a private key that one of our administrative users has countersigned is required for any direct system access to production servers. Through our on-call rotation, Kritik's operations team provides 24/7 support, and we have several dozen alarms in place to ensure that all systems are operating as expected.

File and Database Backups

In addition to complete daily snapshots, using database replicas, every production database instance streams backups to a separate AWS account that stores them. Access is only available to a limited number of employees at the executive level through a token that requires multi-factor authentication. For disaster recovery purposes, the file backups are streamed continuously to the same backup account. All backups are encrypted and stored in a different geographical region with separate keys from the original production data. At least annually, Kritik performs backup restoration drills to verify the process and ensure we can recover quickly in the event of a disaster.

Conclusion

Kritik takes its user's data security seriously, and we are committed to ensuring that all customer data are kept confidential and secure.